This started as a discussion in another thread that got very off-topic so I start a new topic about it instead.

Each chain is traversed independently from top to bottom. DNAT is done in the prerouting chain which is processed before the any routing decision is made, while SNAT is done in the postrouting chain. So the order you add rules in are only significant for a specific chain. If you add the SNAT rules first and then the DNAT rules, or you first add all DNAT rules and then the SNAT rules really shouldn't matter.

The DNAT rules will always be processed first anyway as they are processed by the prerouting chain.

Ref: http://www.faqs.org/docs/iptables/trave ... ables.html

msundman is right, i just messed it up. Mikrotik is making my Linux skills weak. By the he is right, in linux iptables work on chaing

1. PREROUTING
2. INPUT
3. FORWARD
4. OUTPUT
5. POSTROUTING

Rules are read in chains following the orders of chain above.

However not same in Mikrotik, rules are read from top to bottom, and i had personally experienced it.

That's interesting. I thought RouterOS was using netfilter/iptables internally todo packet filtering and thous should be traversing chains the same way. So that is not true then? Has Mikrotik written their own packet filtering engine?

On linux all DNAT:ing is done in the PREROUTING chain BEFORE the routing decision is done, and SNAT:ing is done AFTER the routing decision has been done and therefor is never make any difference whether you add SNAT or DNAT rules first.

When and how is SNAT and DNAT beeing done on ROS then if you are saying that is accually DO matter on ROS.

Can you give me an example of a config that gives different results depending on the whether you have the SNAT or the DNAT rules on the top of the NAT rules list?

Anyone else that can confirm this?

Each chain is traversed independently from top to bottom. DNAT is done in the prerouting chain which is processed before the any routing decision is made, while SNAT is done in the postrouting chain. So the order you add rules in are only significant for a specific chain. If you add the SNAT rules first and then the DNAT rules, or you first add all DNAT rules and then the SNAT rules really shouldn't matter.

The DNAT rules will always be processed first anyway as they are processed by the prerouting chain.

Ref: http://www.faqs.org/docs/iptables/trave ... ables.html

The above IS correct. It does not matter which order you put DNAT / SNAT rules in to MT, what matters is the order in which the rules are WITHIN each chain.

I suspect that mudasir put rules in his MT in a specific order (the DNAT / SNAT) and experienced the lag between when the rules were put in and when the MT box actually implemented them.... I have a few thousand MT RBs and it does not matter the order of putting in DNAT / SNAT only the order within the chain (DNAT / SNAT).

R/

Thom

Thanx that you could confirm what I thought.

Do you know also whether ROS is accually using the Linux kernel build-in netfilter code todo the packet filtering/NAT:ing or if they have implemented their own engine?